Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] jboss-vuln-cve2010-0738.nse
From: David Fifield <david () bamsoftware com>
Date: Tue, 19 Jun 2012 09:27:40 -0700

On Sat, Jun 16, 2012 at 10:53:51AM +0200, Patrik Karlsson wrote:
On Sat, Jun 16, 2012 at 5:39 AM, Tiago Natel de Moura <tiago4orion () gmail com
wrote:

Hi list, this is just a script that I created to exploit the CVE-2010-0738
of JBoss.

description = [[
JBoss Enterprise Application Platform is prone to multiple vulnerabilities,
including an information-disclosure issue and multiple
 authentication-bypass
issues. An attacker can exploit these issues to bypass certain security
restrictions to obtain sensitive information or gain unauthorized access
to the application.
this script will attempt to exploit one of these vulnerabilities and get a
reverse shell on the target machine.

This exploit is a rewrite to NSE of the Kingcope's perl exploit (
daytona_bsh.pl).

More information:
http://www.exploit-db.com/exploits/16274/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
http://www.securityfocus.com/bid/39710
]]

Hi Tiago,

This seems to be a very useful script! Thanks for taking the time to write
it!
We do have an existing, more generic, script that checks whether a resource
could be retrieved using different HTTP methods.
It defaults to the jmx-console and first tries a GET and then a HEAD. The
script also provides the possibility to change the path to something else
to test other servers than jboss for the same vulnerability. The name of
the script is http-method-tamper.

I'm not sure what to do here but I suggest the following, but would like
comments from others before we decide how to procede.
- We keep the http-method-tamper as a generic way for testing method
tampering.
- We extend the http-method-tamper script with spidering capabilities and
remove the connection it has to jboss.
- We add code to this new script that allows to do the check in a less
intrusive manner, in the same way as the http-method-tamper does.
- The check is default unless the reverse_host and revers_port arguments
are given, at which point the script does exploitation

What needs to change in http-method-tamper in order for it to be able to
detect this vulnerability. It seems to me that it already does, with no
changes? It uses the same /jmx-console path as this exploit script. So
is the only thing different about this new script, the addition of
exploit code?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault